Authentication Service

LobeHub provides a complete authentication service capability when deployed. The following are the relevant environment variables. You can use these environment variables to easily define the identity verification services that need to be enabled in LobeHub.

Better Auth

General Settings

AUTH_SECRET

• Type: Required
• Description: Key used to encrypt session tokens. You can generate the key using the command: openssl rand -base64 32.
• Default: -
• Example: Tfhi2t2pelSMEA8eaV61KaqPNEndFFdMIxDaJnS1CUI=

AUTH_EMAIL_VERIFICATION

• Type: Optional
• Description: Set to 1 to require email verification before users can sign in. Users must verify their email address after registration.
• Default: 0
• Example: 1

AUTH_SSO_PROVIDERS

• Type: Optional
• Description: Comma-separated list of enabled SSO providers. The order determines the display order of providers on the login page.
• Default: -
• Example: google,github,microsoft,cognito

AUTH_ALLOWED_EMAILS

• Type: Optional
• Description: Comma-separated list of allowed emails or domains for registration. Supports full email addresses (e.g., [email protected]) or domain names (e.g., example.com). Leave empty to allow all emails.
• Default: -
• Example: example.com,[email protected]

AUTH_DISABLE_EMAIL_PASSWORD

• Type: Optional
• Description: Set to 1 to disable email/password authentication, forcing users to use SSO login only. When enabled, the email input will be hidden on the login page and the signup page will redirect to login.
• Default: 0
• Example: 1

JWKS_KEY

• Type: Required
• Description: JWKS (JSON Web Key Set) key for signing and verifying JWTs. Used for OIDC JWT token signing and internal service call authentication tokens. Must be a JWKS JSON string containing an RS256 RSA key pair.
• Default: -

<GenerateJWKSKey />

INTERNAL_JWT_EXPIRATION

• Type: Optional
• Description: Expiration time for internal JWT tokens used in lambda → async calls. Format: number followed by unit (s=seconds, m=minutes, h=hours). Should be as short as possible for security, but long enough to account for network latency and server processing time.
• Default: 30s
• Example: 30s, 1m, 1h

Email Service (SMTP)

These settings are required for email verification and password reset features.

SMTP_HOST

• Type: Required (for email features)
• Description: SMTP server hostname.
• Default: -
• Example: smtp.gmail.com

SMTP_PORT

• Type: Required (for email features)
• Description: SMTP server port. Usually 587 for TLS or 465 for SSL.
• Default: -
• Example: 587

SMTP_SECURE

• Type: Optional
• Description: Use secure connection. Set to true for port 465 (SSL), false for port 587 (TLS).
• Default: false
• Example: false

SMTP_USER

• Type: Required (for email features)
• Description: SMTP authentication username, usually your email address.
• Default: -
• Example: [email protected]

SMTP_PASS

• Type: Required (for email features)
• Description: SMTP authentication password. For Gmail, use an app-specific password.
• Default: -
• Example: your-app-specific-password

SMTP_FROM

• Type: Optional
• Description: Sender email address. Required for AWS SES where SMTP_USER is not a valid email address. If not set, defaults to SMTP_USER.
• Default: Value of SMTP_USER
• Example: [email protected]

Google

AUTH_GOOGLE_ID

• Type: Required
• Description: Client ID of the Google OAuth application. Get it from Google Cloud Console.
• Default: -
• Example: 123456789.apps.googleusercontent.com

AUTH_GOOGLE_SECRET

• Type: Required
• Description: Client Secret of the Google OAuth application.
• Default: -
• Example: GOCSPX-xxxxxxxxxxxxxxxxxxxx

GitHub

AUTH_GITHUB_ID

• Type: Required
• Description: Client ID of the GitHub OAuth application. Get it from GitHub Developer Settings.
• Default: -
• Example: Ov23xxxxxxxxxxxxx

AUTH_GITHUB_SECRET

• Type: Required
• Description: Client Secret of the GitHub OAuth application.
• Default: -
• Example: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Microsoft

AUTH_MICROSOFT_ID

• Type: Required
• Description: Client ID of the Microsoft Entra ID (Azure AD) application. Get it from Azure Portal.
• Default: -
• Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

AUTH_MICROSOFT_SECRET

• Type: Required
• Description: Client Secret of the Microsoft Entra ID application.
• Default: -
• Example: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

AUTH_MICROSOFT_AUTHORITY_URL

• Type: Optional
• Description: Authority URL for the Microsoft Entra ID. This is used to specify the endpoint for authentication requests.
• Default: https://login.microsoftonline.com
• Example: https://login.partner.microsoftonline.cn

AUTH_MICROSOFT_TENANT_ID

• Type: Optional
• Description: Directory (tenant) ID for single-tenant Microsoft Entra ID applications.
• Default: common
• Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

AWS Cognito

AUTH_COGNITO_ID

• Type: Required
• Description: Client ID of the AWS Cognito User Pool App Client. Get it from AWS Cognito Console.
• Default: -
• Example: xxxxxxxxxxxxxxxxxxxxx

AUTH_COGNITO_SECRET

• Type: Required
• Description: Client Secret of the AWS Cognito App Client.
• Default: -
• Example: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

AUTH_COGNITO_ISSUER

• Type: Required
• Description: The Cognito User Pool issuer URL. Format: https://cognito-idp.{region}.amazonaws.com/{userPoolId}
• Default: -
• Example: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx

Feishu

AUTH_FEISHU_APP_ID

• Type: Required
• Description: App ID of the Feishu application. Get it from Feishu Open Platform.
• Default: -
• Example: cli_xxxxxxxxxxxxxxxx

AUTH_FEISHU_APP_SECRET

• Type: Required
• Description: App Secret of the Feishu application.
• Default: -
• Example: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

WeChat

AUTH_WECHAT_ID

• Type: Required
• Description: App ID of the WeChat Open Platform application. Get it from WeChat Open Platform.
• Default: -
• Example: wxxxxxxxxxxxxxxxxxxx

AUTH_WECHAT_SECRET

• Type: Required
• Description: App Secret of the WeChat application.
• Default: -
• Example: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx